My wifes ebay account has not been used in about a year, till about a month back. Someone in Europe got her Hotmail password, then requested her ebay password via the lost user-password function, then got her paypal username-password from the ebay link.

After they got the paypal password, got $700 out of her checking account. That is what found it all out, Ebay seller fees amounted to +$400, they was requesting western Union cash delivery to somewhere in England. They sold video boards all over the world, china, asia, france, england, USA for $450 each plus shipping. Most my wife used it for was to buy cheap tupperware.

I don't have a clue how many got scammed using my wife's account. A lady from new York called us on the phone because of our hometown. She may get her money back from paypal, it did not go into any account we are familiar with.

ANY old ebay accounts sitting there not being monitored are a liability. Perhaps they should be closed? your checking account #'s are in there, as is the paypal connection to any credit cards on file. Just another way to steal from the unsuspecting honest JOE. Once in, they changed all the passwords so my wife could not get into them, most people would have thought it was "them" and they'd forgotten about it.. till the police or whoever showed up.

So far we have written a book straightening out this mess, a ring binder. Future possibilites are that we may end up in court yet.

Ebay has a online chat now to solve problems like this, the time they double billed me, it took me thirty minutes to find a phone number for them. I had to prove they double billed me to get my money back.

lazlo

06-27-2007, 01:19 AM

I had a funny run-in with Ebay customer service last week. I got a scam 2nd Chance Offer -- the usual Ebay message inbox variant, not by email. For some ungodly reason I decided to be a good Ebay citizen, and I forwarded the Scam message to Ebay customer service, and suggested that they might want to do something to shut the guy down.

The response was a form letter explaining that this was not a legitimate 2nd Chance Offer with tips on how to tell if it was real. Duh.

So I wait several days, and the Ebay account that sent me the Scam 2nd Chance Offer is still active (?!). I send Ebay an email this time, reminding them that this particular Ebay account was sending illicit 2nd Chance Offers.

The response? You guessed it -- a FAQ about bogus 2nd Chance Offers.

By this point, I'm getting aggravated, so I reply back and suggest that it would be a good idea to NARU the account that's sending bogus 2nd Chance Offers, especially since their customer support page indicates that the 2nd Chance scam is a major issue for them.

Several days go by, and I get a response from Ebay saying that it wouldn't be fair to disable the scammer's Ebay account, because it could be a legitimate Ebay user who's account was hijacked. !!!

For a perfect finish to the story, today I received an survey request from Ebay customer support, asking if I was happy with the response I received :eek:

As of today, two weeks later, the scammer's Ebay account is still active...

cybor462

06-27-2007, 02:20 AM

Having sold on ebay since it started I have seen and heard many horror stories like these. I never give my account info to them, well I should not say that, as they require at least a checking account. I went one better, had an old account that was sitting unused for some time so I gave them that one and after they verified it was mine I closed the account. The bank was also bought up by a larger fish and changed all the open account numbers anyway.

Bottom line I have never been scammed as I have not given them any way to scam me. They still have that account number as my linked account. Good luck someone trying to get anything from that account.

I do feel for you. I did have ID theft some years ago, my SS# was used. I was lucky as it was used by a thief who got himself in a wreck while running from the police and was hurt and later died in jail.

And who said bad things do not happen to bad people!

BadDog

06-27-2007, 04:44 AM

One other word of warning, do NOT ever use the same password and ID for paypal and ebay. Or any other account for that matter...

JCHannum

06-27-2007, 07:55 AM

Phishers and scammers do use eBay accounts belonging to others to run their scams, and it is possible to receive correspondence from a legitimate appearing account to run a scam. Second chance offers are among the more popular scams. Another one is to send an invoice for an item you have not purchased, or a letter saying payment is past due on an item you did not purchase.

These are usually very well done, and appear legitimate. Do not open them or reply to them, but check your eBay messages. If it is a legitimate eBay message, it will be there. If not, send it to Spoof@eBay. While you probably will only get the usual boilerplate replies from them, they do actively pursue scammers. It is likely in Lazlo's case that the scammer was not the account holder, and they are doing business as usual, but with new passwords, etc.

David's advice is good, and also applies to any old credit cards you might have lying around, but do not use. If they are not being used, cancel them, don't rely on the CC company to do it for you. Even if you don't renew them when they expire, they might still bite you in the butt.

I hope they get it sorted out for you David, it does sound as though they are working with you on it. Keep us posted with the progress and good luck.

Evan

06-27-2007, 09:16 AM

I don't use e-Bay or PayPal but have been buying by mail order since I was a child and online since it has been possible. I follow some simple rules.

1 Set up a separate bank account and credit card with a low limit for online purchases.

2 Use a different bank than where you normally do business. Your online buying info should not be tied in any way to the rest of your financial world.

3 Never send billing information via e-mail such as credit card numbers. Never. E-mail tends to be stored and is no more confidential than a postcard.

4 Use strong passwords on sensitive online accounts. This means passwords that are not in the dictionary and are at least 8 characters long. To make mine easy to remember I use pairs of words that aren't ever normally paired such as "yellowsound" or I use long acronyms.

5 Be prepared to cancel your online buying credit card for any reason at a moments notice. If you have it set up as suggested this minimizes problems.

6 Change passwords from time to time. To make it easier to recall what the passwords are use a rotation through a short list of strong passwords.

I have only ever had one real billing issue online and it was immediately solved by cancelling the associated credit card.

Scatterplot

06-27-2007, 10:07 AM

A good way to make a random password is to think of a sentence, then use the first letters of each word. It's easy to remember and won't be easy to crack. Example: "I Have A Brown Dog And His Name Is Rover" would give you the password IHABDAHNIR, which won't be easy to crack and given that you remember the color and name of your dog you're good to go :D

Evan

06-27-2007, 11:36 AM

That is the sort of thing I meant by "use long acronyms". It especially helps to remember if the acronym is somewhat pronounceable, like IROY G BIVUV (the full spectrum).

tattoomike68

06-27-2007, 12:12 PM

4 Use strong passwords on sensitive online accounts. This means passwords that are not in the dictionary and are at least 8 characters long. To make mine easy to remember I use pairs of words that aren't ever normally paired such as "yellowsound" or I use long acronyms.

Add capitals, numbers and symbols.

y3||oWs0uNd

Dawai

06-27-2007, 12:38 PM

yesterday, they requested a lost password on ebay... they still have the hotmail account, msn has not returned email, or anything.. it is a free email account so?

Lost was the prioritized email address.. since changed.. all the emails saved in draft mode were the downfall of the other accounts.

One new thing neat? Ebay returns the ip address of anyone changing things on the system. since they all are different, libraries or coffee houses?

J Tiers

06-27-2007, 01:26 PM

Evan can probably add to this, but in most email programs, you can "view source" without "opening" the email.

Does that still open up any embedded programs or malware for run?

It seems logical that it would not, but it might.

If it does not, you can see who sent it

Carld

06-27-2007, 02:22 PM

I always view my email at the website of the provider so nothing comes to my 'puter unless I open the attachment. If you open what ever email program you use on your 'puter and click on recieve/send email everything is down loaded and checked by your virus program if you have one. It is my understanding that if there is an issue with the main part of the email the ISP will throw it out, so a virus has to be in an attachment to make it to your 'puter.

I just viewed my ebay acct. and there is nothing about my checking or savings or credit cards on it. It would be foolish to put them there.

I viewed my paypal and it only gives the name of the bank and the last 4 numbers of the acct. Maybe I need to open a savings acct with only $50 or $100 dollars.

How can someone get your user name and password unless you publish it somewhere?

How do they get your user name and password for paypal?

wouldn't it have to be an inside job for them to get that info unless you tell someone yourself?

Dawai

06-27-2007, 03:37 PM

Carl:

They got the email through a phishing or other manner, once they had the email account, they changed the password, got the ebay account from the email address, then got the paypal account the same way. They changed all the passwords so we could not access them. Locked us out.

It takes a checking account or credit card to sell on ebay. It takes a checking account and credit card on paypal also. I was reading this morning that they were hacked in Europe last year, all user information was stolen. I don't remember getting a warning. I am sure they sent one thou somewhere. Not in the mail thou.

They used my wifes accounts for several months. Because it was a seldom used account, I think my wife had forgotten about having it. Perfect for them.

We are closing it all down tonight, we got our $700 back from checking acct. She had the same password for years, perhaps it was access from another computer? access from the motel in Florida? think about that at the next coffee house you see laptops open everywhere.

lazlo

06-27-2007, 03:47 PM

in most email programs, you can "view source" without "opening" the email.

On Outlook Express, right-click on the email header in the Inbox, then hit "Properties" at the bottom of the popup menu. Click on the "Details" tab, then click the "Message Source" at the bottom.

You can review the message source without activating any attached executables, or firing the inline HTML links which are used to track spam.

Your Old Dog

06-27-2007, 03:57 PM

As of today, two weeks later, the scammer's Ebay account is still active...

Well if the guy succeeds in scamming me on a 1st or second chance offer eBay makes the commission on the scam sale.... It isn't in their best interest to shut him down. Not at least until some new regulations come out with fines for ebay :D

Evan

06-27-2007, 03:57 PM

Evan can probably add to this, but in most email programs, you can "view source" without "opening" the email.

Does that still open up any embedded programs or malware for run?

It seems logical that it would not, but it might.

If it does not, you can see who sent it
That is a perfectly safe way to examine an e-mail in Outlook Express. It is opened as a straight ASCII text file and cannot activate any sort of attachment or other exploit. It doesn't even count as having been opened.

Add capitals, numbers and symbols.

y3||oWs0uNd
While that will indeed make the password stronger it also makes it a LOT harder to remember. Using a pair of ordinary words is plenty strong enough to survive a dictionary attack as the number of possible combinations multiplies instead of adding. So, if there are 100,000 words in a common dictionary attack program to find a combination of two words requires an average of 100,000 squared divided by 2. That's 5,000,000,000 tries on average to break the password instead of just 50,000. By using a password with at least 10 lower case letters a brute force attack must consider 26 to the tenth power combinations by trying all possible combinations of 10 letters. That's 141,167,095,653,376 possible combinations.

BadDog

06-27-2007, 04:04 PM

Some other suggestions.

Most people won't use passwords correctly, which is the biggest problem. They use common words, or phrases, and you're lucky if you can get them to use mixed case. Then they use the same one everywhere! So get a program like Password Minder. Now you only need to remember one *good* password and let the program generate VERY strong (high entropy) unique passwords for each account/site. It can even generate passwords with no direct keyboard mapping (can't simply type from common keyboard) if the site allows it. Once generated, it stores all you passwords using a very strong encryption. It takes over 10 seconds just to test the password against the data, so brute force and dictionary attacks are largely useless even if you use a common word (which you won't, right?).

Then when you need to log on, you just let Password Minder (or your choice) do it for you. To make it even easier, you can tie your passwords to biometric readers and such. Not as strong as PWM, but way, way, WAY better the current situation for 99.999...% of the online public's security measures. Your still vulnerable to "man in the middle" and maybe to direct attacks if someone can get their hands on your pwd file, but there are so many easy targets out there, most bad guys that target individuals lack the skill to implement those attacks. Even if they did, they would have no desire to do the extra work required to exploit these possibilities because they can get a much bigger return by going for the easy targets (of which there are PLENTY). For my critical online banking information, I use PWM to store the info. For random websites with less critical information, I use a biometric fingerprint based system. When I'm prompted to log on, I just touch the panel and proceed. I also use the biometric to log onto my system, and to launch IE under a different account with very low privileges so that bad web sites can't do bad things (like install spyware) on my local computer.

BadDog

06-27-2007, 04:12 PM

While that will indeed make the password stronger it also makes it a LOT harder to remember. Using a pair of ordinary words is plenty strong enough to survive a dictionary attack as the number of possible combinations multiplies instead of adding. So, if there are 100,000 words in a common dictionary attack program to find a combination of two words requires an average of 100,000 squared divided by 2. That's 5,000,000,000 tries on average to break the password instead of just 50,000. By using a password with at least 10 lower case letters a brute force attack must consider 26 to the tenth power combinations by trying all possible combinations of 10 letters. That's 141,167,095,653,376 possible combinations.
That is true only for random combinations. A human will never use truely random combinations from a large dictionary, particularly since the typical human vocabulary only includes relatively few of those words. So people often use phrases or words that "go together". Most dictionaries and attack code now contain common phrases. I've also seen dictionary attack implementations that use common substitutions like "0" (zero) for "o" and "1" for "l". Of course, dictionary attacks on web servers is limited because of bandwidth both in the pipe and due to the server load. So the time needed for a successful crack generally makes it prohibitively expensive based on the expected return. But if a hacker can get access to say, ebay or paypal accounts, download the data to their local computer, and run the attack there... this is how we have cases of thousands of cracked accounts being sold or exploited.

lazlo

06-27-2007, 04:14 PM

If it does not, you can see who sent it

Yes, but-- you have to know how to read the message headers.

Usually, most of the SMTP headers, the hostnames, and the Reply-To address in a spam or Phishing email are faked. So the spammer puts some sucker's email address in the faked headers, and he/she gets bombarded with hate mail.

The only part of the header you can be sure wasn't faked is the last (top-most) set of Return-path headers. So in this case, if this email was spam, the message really coming from the machine: 10.93.46.15.

In this case, that's really an Austin Road Runner mail server, so you can track back through each layer of Reply-To headers and see that the message originated from 66.135.223.255, which is an Ebay machine. If the message isn't coming from a machine with an IP address in the range of 66.135.192.xxx - 66.135.223.xxx, then it's probably faked:

Yep, the messages headers are SO easily faked as to make them nearly useless. The use of anon redirectors, zombies, and other techniques make even the last hop largely useless. See SPAM for examples. Best bet is to use an email client that can be set to "text only" and be learly of attachments. I use Outlook set to text only and have never had an issue even though I do not run any antivirus at all...

Evan

06-27-2007, 06:14 PM

That is true only for random combinations.

Yes, it is. That is why I suggested a pair of words that don't make a phrase and don't belong together. The biggest problem I have is remembering my passwords and it isn't practical for me to use a password manager as I may be logging on from various computers here at home and my wife's shop or even my Palm.

Most password crackers will attempt a dictionary attack first. If that fails they go to a brute force attack and that is where the number of letter combinations I mentioned comes in. I don't know of any cracker software that attempts a two word comprehensive dictionary attack, it would take too long.

BadDog

06-27-2007, 06:47 PM

Agreed.

Current tools work at various levels. The most primitive (and common) use simple dictionary text files shared among lame "haxors" on wannabe black hat boards. These actually do account for most of the trivial stuff you usually hear about. The more modern and advanced of these tools do things like multi-pass including the obvious character replacement like I mentioned before. The only way these do phrase based attacks is by having the phrases in the dictionary, not at all comprehensive, but given rather predictable human behavior, surprisingly effective.

BUT, the most advanced that I have seen do actual phrase construction using obvious constructs. The technology to do this ranges from primitive adjective noun constructs with variable casing (so might match "BigGuy" and such) up to the most advanced I've seen to date that uses the same phrase construction algorithms we used for free form dictation back when I worked in Speech Recognition Research in the late 90s. These also may also start with high probability dictionary attacks, then go more advanced when the point of diminishing returns is hit. These programs are usually used to crack encrypted information retrieved from otherwise compromised systems and attacked locally. Even then, a successful crack with decently strong passwords may take weeks AND assumes you do have a list of valid user accounts. Bandwidth doesn't support using any of this stuff for remote attacks. Often times, if you know the encryption algorithm (not that hard), don't know the account/id names, or the faster dictionary/brute attacks fail, it is easier to attack the encryption itself. But then you know an inherent vulnerability (they do exist, it's a constant game of cat and mouse) or you're looking at years, or even decades...

BadDog

06-27-2007, 07:00 PM

Oh, and I use PWM from multiple systems, though not from public. I have my encrypted pwd file on a secure LAN (in house, locked down) share so that it gets automatically replicated to my portable devices. Using a public computer I'm typically only accessing Google or something, so it has not been an issue. If I need more access, I'll find a WAP and go via VPN or https at the least. I'm also not particularly concerned about the pwd file since, without knowing my "high entropy keyword" and assuming they do not have a "back door" to the algorithm (none known that I know about), it would take them a few decades on average (IIRC) with a fast machine to break it. I don't think my bank accounts are worth that effort, and neither will the hackers...

Dawai

06-27-2007, 08:46 PM

THEY just told us, I could not close either my account or My wifes paypal account, after talking to a supervisor, they say they have now closed it.

My armpits are so sweaty, I am having a moment. sweaty hands, dilated pupils. Known as the "fight or flight syndrome". With all the adrenalin flowing in my veins I probably won't sleep tonight.

THey also, paypal are not in this country. The customer service is somewhere else cheaper. The customer service is out of country, but the dispute resolution is in the midwest USA somewhere, and could speak better english.

Seems I could not close the ebay account either, it must wait 180 days. What a load of horse****.. I can not find a address for ebay, anyone got one for a registered letter to ebay?

paypal's address is

Paypal inc.
Po box 45950
Omaha Ne, 68145-0950

Evan

06-27-2007, 09:58 PM

eBay Inc.
2145 Hamilton Avenue
San Jose, CA
95125
US

Dawai

06-27-2007, 10:12 PM

Thanks Evan..

the legal way to resolve responsibility and remove liability is registered letters.
Record keeping, and using legal terms.

A few years back, I closed a credit card out, six months later I was getting robot phone calls charging $10 per call trying to collect on the card which was paid off and closed. I had saved the confirmation number, most people would not have retained it. Seems it was citibank.. thou my memory is foggy.

same way with cell phones, we had a pair that would not work here in north georgia, until I spoke the term "unable to provide service as contract stated" they were going to charge us dissconnect fees. After them magic words, all was absolved, forgiven, and forgotten.

FOUND THIS: (cut and pasted)
http://www.youtube.com/watch?v=b6ykP8spYrs youtube of hacking in progress..
Now driving home the point again! EbaY is under MASSIVE WORLDWIDE HACK ATTACK, MULTIPLE USER HIJACKING, and IT cannot stop the hackers!
Simple as that!
More of same. These videos are real, genuine, beyond reproach.

This one is rough, (live screen recording) but luckily, I am not trying to build a piano here.

We are starting at one of my blogs, for a quick look at one explaination of the curious appearnce of the Medved Charts on 05-03-07, along with more proof that my Davy Crockett video is genuine, (as all they are)
More proof will be posted if need be, as I have the listing from that video saved complete.

(BTW, where did that listing go? Is concealing / obliterating all this FRAUD against the law?)

In this video we see seller / victim: dwood10s(652)
get hijacked by known, repeat hijacking address:

First.Power.Sells @ gmail.com

You may also note that the hijacker is using an image instead of text to display the email address in the most of the listings

Right at the end we see what I believe is a legitimate item:
HERB ALPERT & THE TIJUANA BRASS - 7
Item number: 130108028238
Listing and payment details:
Starting time: Apr-30-07 18:30:00 PDT
Starting bid: US $4.99
Duration: 7-day listing
-------------------------------

I will return to update this...
Oh, did I mention these listings are live as I nrevise this description?
Alpine IVA-D300 - Alpine DVD/CD/MP3/WMA receiver with r
ONLY -= BUY IT NOW =- !!!
Item number: 130110234715
shows: 14 hours 15 mins left.

Not enough proof?
Another "list" has been uncovered, this time compromised ebaY *and* Paypal accounts.
Go here to see for yourselves
tinyurl.com/yoylyc

Be sure to visit these threads from the ebaY Germany forums to see about the latest HUGE lists of compromised ebaY and PayPal accounts, and account takeovers.

ABSOULUTELY SHOCKING!

J Tiers

06-28-2007, 01:07 AM

The concern about spoofed headers is irrelevant......

The idea is to see whether the header PLUS the text appears to be legitimate, i.e. something you are actually expecting.

I have viewed source on items I was going to toss, and found that they were legitimate emails that I was waiting for, but which had goofy subject lines.

You can see if the thing is a drug ad, or a stock tip, etc

BadDog

06-28-2007, 01:55 AM

Fair point... or you can set it for plain text and just open 'er up. :D

Evan

06-28-2007, 02:42 AM

The server admin (me for my e-mail) can also make a big difference. I don't allow executable attachments. I also don't allow e-mail where the body of the mail consists of only a gif image file. All of the mail on my server is screened against a weighted keyword list for common spam and scam words and related characteristics. I don't allow relays and I don't bounce virus or spam mail.

As for tracking down the source of an e-mail by examining the headers it is possible but usually not worth the trouble. About 80 percent of all the spam/scam is being relayed by compromised home computers so finding the true source is nearly impossible.

Dawai

06-28-2007, 11:18 AM

I got on the online chat on ebay, at first they refused to remove my checking and credit card number.. Then after some words they did. They tried to weasel out several times and close the chat.

SO, no paypal, myself or my wife, No old ebay account for my wife, closed immediately for posting and account information removed. My ebay account is stripped of account numbers. I can still buy by check or money order. I'll have to purchase a tempoarary debit type card to sell again on there.

I am not sure ebay or paypal is secure, I still don't know where the loss of the accounts happened. I have installed a newer version of Linux on the one machine and removed the UBUNTU african linux off the gamer, put Mepis on it, but it looks to have a ubuntu kernel. I never trusted the Linux without root privilidges.

I did have a camera type server on demand set up to view my home and shop. Apache, perhaps there was a port opened for that? I closed the camera port in the router. It passed through to the Programmer computer for all the requests.. and it had a clean linux with no user information on it. I also disabled the ssid broadcast, and am using WEP keys, so?
Someone explain to me why the WEP key sped up all the computers.

lazlo

06-28-2007, 12:49 PM

Wow David, I'm really sorry you have to go through all that!

Is it worth considering canceling your PayPal and Ebay account, and re-creating a new one? You'd lose your feedback but it might be easier than what you're going through.

I also disabled the ssid broadcast, and am using WEP keys, so?
Someone explain to me why the WEP key sped up all the computers.

Turning off the Station ID beacon is sometimes recommended in the wireless security guides, but it's worthless. As soon as a wireless client sends a probe packet, the access point will respond with the Station ID anyway. On a lot of client wireless access software, the access point will show up with a station ID of "blank" or "hidden," and you can connect to it just like any other Station ID. The IBM "Access Connections" software on my Thinkpad does this.

Turn off WEP and use WPA-PSK, if your access point and your client cards support it. WEP has several security flaws, and freely available software like Aircrack, WEPLab and Kismet can snarf your WEP key in under 15 minutes.

MrFluffy

06-28-2007, 03:09 PM

Add capitals, numbers and symbols.

y3||oWs0uNd

Read BADDOG's explanation, there is a tool that will substitute numbers and symbols for letters in a dictionary brute force attack. I dont reckon that password would survive very long on a juicy target against a determined attacker running a few john the ripper sessions from different locations...
GP's suggestion to use the first letters of a phase is good, the resultant word isnt directly based on dictionary words, even obstifucated ones..

Baddog, you sound almost as paranoid as me, no password logins allowed, all done with public key, ssh ports on nonstandard ports, and filesystems mounted on aes256bit loopbacks with 16 char keys. I wont ask if you have a relaxxs vpn too ;)

Disclaimer, I work in network security for my "real" job...

Dawai

06-28-2007, 03:24 PM

WPS-PSK enabled in router. that took all of 5 minutes.
Now some of the network cameras I gotta get the book out on.

System is overall 30-50% faster than it was yesterday Morning. Doing a status on the router, no extra connections. There is rental properties on all sides of my place and since I live in a plywood shack, I am sure it can be accessed by all (could have) in the neighborhood. No telling how many was using it, right?

When we lived in town, I found a phone like ours in the hedge bushes.. I picked it up and I had a dial tone. I carried it inside and our phone was on the cradle.. A hobo phone booth.. I chased one of them Hobos about two blocks one night while I was in my underwear, and he was shopping in the back of my lowrider's camper. cap? He outran me cause I knowed what was going to happen to my knees when I tackled him. The law picked him up later that week. It was cold and he needed a nice warm place to sleep. People used to crawl under the old house I rented, it had a gas heater in the floor, it was nice and warm underneath the house.
Anyways, I guess people ride around with thier laptops and find open wireless and with thier phones to find a dial tone. And unsuspecting people allow it.. I got a digital train encrypted phone now. Someone said it could still be heard on a digital scanner thou.

MrFluffy

06-28-2007, 03:35 PM

Some of the older network cams may not support wpa-psk, as it was implemented after they were made. If thats the case, you could always see if they have a newer firmware available on the website of the manufacturer that makes wpa-psk available as an option (older linksys ap's were like this).

BadDog

06-28-2007, 03:52 PM

Baddog, you sound almost as paranoid as me, no password logins allowed, all done with public key, ssh ports on nonstandard ports, and filesystems mounted on aes256bit loopbacks with 16 char keys. I wont ask if you have a relaxxs vpn too ;)

Disclaimer, I work in network security for my "real" job...
Hehe, I think you've got me beat there MrFluffy. :o I'm not quite that paranoid, but I've worked in Software Security related areas (both dev and consulting - worked with Keith Brown (PWM) too, if you know the name) on several occasions and have a pretty good idea how to close the door on the vast majority of would-be haxors, and the real deal doesn't give a rip about my stuff, so it keeps me "safe enough" without much pain.

Evan

06-28-2007, 05:58 PM

I ran my servers wide open on the net for years with only a software firewall and no router or NAT of any sort. Never was compromised although many attempts were made. I used and still use Win98 that I have very carefully configured to close the holes in the system. I recently had to go behind a router because of denial of service attacks and I needed a way to filter traffic by netblock before it hit the machine. I use only open source freeware for all the server and related software. Mercury Mail Transport, Xitami Web/FTP Server, Analog log analyzer, F-prot DOS antivirus, NETSTAT live and a few other security related items such as port monitor/logger.

I still don't use any sort of malware detection or control on any of my machines. I rely on properly configured software as well as user (me) to avoid problems. I also avoid any software that raises even the slightest suspicion in my mind. Mostly I use open source software for most of what I do on the computers.

BadDog

06-28-2007, 07:40 PM

This has been covered before, but likewise, I also run behind a hardware firewall with no bloated nanny software (Symantic, McAfee, etc.) and instead rely on a proper system config along with (minimal actually) user awareness. Even my son and daughter do just fine with no excessive measures. I just ran a couple of anti-spy/malware utilities for the first time in months, and as always, they found nothing.

But the public network traffic is a different matter when dealing with sensitive info like bank passwords and such. And there I do rely on additional measures to protect my important data. That's where VPN, https, and friends become important. I know Evan knows this, but wanted to clarify for general consumption.

Dawai

06-28-2007, 07:43 PM

I closed (I think) a chase credit card today. I had to go through six people. I did not get a confirmation number or a refrence number so I think it probably still is not closed. I got the point where I was cursing the people, I never disrespect people if I can help it.
At one point they transferred me to the Phillipines. with all the internet phones you are never really sure who you are talking to.

Re:
It was listed on ebay as a back up.

I think I have closed all the doors now.

wierdscience

06-28-2007, 08:53 PM

That is a perfectly safe way to examine an e-mail in Outlook Express. It is opened as a straight ASCII text file and cannot activate any sort of attachment or other exploit. It doesn't even count as having been opened.

While that will indeed make the password stronger it also makes it a LOT harder to remember. Using a pair of ordinary words is plenty strong enough to survive a dictionary attack as the number of possible combinations multiplies instead of adding. So, if there are 100,000 words in a common dictionary attack program to find a combination of two words requires an average of 100,000 squared divided by 2. That's 5,000,000,000 tries on average to break the password instead of just 50,000. By using a password with at least 10 lower case letters a brute force attack must consider 26 to the tenth power combinations by trying all possible combinations of 10 letters. That's 141,167,095,653,376 possible combinations.

I was told years ago that using a combination of two or more words and then mis-spelling one or both of them added even more protection hince my screen name here,it's an old bank account password and an old inside joke=wierdscience

J Tiers

06-29-2007, 12:53 AM

It really is not quite true that the password guessing software needs to try ALL however many possible combinations exist.

I fact, on average, they need only try half of them. That is still a lot, and essentially the same difficulty level. But as an academic point, they need only make all the guesses that they make BEFORE they get your actual password.

As far as odd misspelled words, etc, that is essentially no help at all. The idea that it helps makes the assumption that the cracker also assume 'real" words. If they make no such assumption, then there is no security in mis-spelling, and no more security in using punctuation than is given by the increased number of permutations.

And, if they find and can steal a hashed password file, then they can get at that offline, "throwing the dictionary at it", etc, until they get just one hit, at which point they have the hash, and can reverse it to get any password they want up until the next required password change. If they can steal just one password, they can make that job much easier.

Lots of ways to do the deed.

Essentially, you have no expectation of security at any point over the net. The telephone is actually far safer.

BadDog

06-29-2007, 03:58 AM

Absolutely correct. Kinda like folks always saying, "It's always in the last place you look." Well, if it's not you've got MUCH bigger problems than loosing things! ;)

But you're mistaken in your basic premise.

First off, they DO assume you use real words, and they are right something well over 90% of the time. So they use that knowledge to cut the average time to crack by multiple orders of magnitude (many in fact). Even the more advanced phrase generators and substitution attack implementations are never tried before you first try the dictionary. The dictionary is SO important to the average (or even above) hackers that they actually buy, sell and "trade" (often bartering "owned" systems, discovered vulnerabilities on specific sites, etc.) for the better "upgrades".

But if they did for some unknowable reason decide to automatically use a full character set random generator attack, then they basically doom themselves to elevating the 90%+ number of cracks they could have made in a few hours (or less) to the same status as "hardened" passwords. So that would be about a week to several months just to crack "Fluffy" on any system worth discussion.

Again, all this assumes they have gotten a known set of user accounts to even mount an attack with any reasonable chance of success.

And yes, just as I said earlier, the ideal attack puts the password file on the local hacker's machine. Of course they first have to be good enough to GET the password file, but that's not relevant to this discussion. So we'll assume they use social engineering or otherwise get the file. Now what? No password file (or any sensitive data file) worth it's salt since the 80s has been a simple "hashed" data file. With modern encryption utilizing one-way hashes and many other more modern/advanced techniques, getting one password will pretty much never give you the entire file. In fact, it's generally impossible to get the passwords OUT of the file at all. That's why you can generally only reset, NEVER read, a password for any account on any but the most Mickey Mouse of secured systems. On most any modern encrypted password file, assuming no mistakes in the implementation (which admittedly is a big assumption) every password will need to be attacked separately. Only the most elite (and not interested in our piddling data) posses the skills to analyze a few (never just one in any case) cracks to try to refine the algorithms under the best of circumstances.

And all this *assumes* they know the details of the algorithm, salt, and other relevant data so they even have a prayer of doing an isolated attack on a password file. It actually takes a LOT of basic leg work to get the file, figure out the basic data points, and then run the attack. These are NOT the people cracking ebay and paypal accounts. These are the guys cracking entire servers full of client data at Citibank and Amazon or the IRS. And they don't go after passwords, they go after the data files. No need to deal with that one-way hash there since you have to be able to get the data OUT to be of any use to the owning system. That's a MUCH easier task! In that case, NOTHING we can do is going to make a difference as the entire process is out of our hands and will hopefully be covered by the FED or insurance in any case.

This is also the reason you always do a "threat model" before even starting to talk about security (software or otherwise). All you really need is enough security to shut out the bad guys who lack skills (you don't want to just give away even trivial data of any value) and hold off those with skills to the point their work exceeds the value of the target. The problem is in identifying what the value perception is and balancing the risk against usability impact. Usability is ALWAYS inversely proportional to security. And as a result, the more security, the more pain for the user, and the more likely they are going to do something stupid like storing their passwords in a clear text file on their laptop or written on a Post-It so they can remember them. Then all that security work goes right down the drain. This then segues straight into Social Engineering and completely off topic...

Summary: All you can do for ebay, paypal and the like is to make sure you DON'T use dictionary words or even simple/obvious phrases so that the simple attacks run by pimple faced 16yo would-be Haxors and Internet Cafe dwelling losers in Eastern Europe or Africa can't crack it with a 10 minute attack. Combine that with using different passwords at every site and your chances of problems become much lower than your odds of winning the Lottery Jackpot...

J Tiers

06-29-2007, 11:30 AM

If you assume that someone may use a password that is a name with some punctuation thrown in , it isn't quite as bad as you say.

If you work for a corporation, you WILL have hit "Sarbanes-Oxley", which specifies, among a great number of other things, EXACTLY how a password shall be constructed.

You SHALL use (IIRC), at least 2 out of 3 of the following.... punctuation, capital letters, and numbers, and it SHALL be at least 8 characters.

So what do most folks do? They take their password, such as "doggies", and they change it to "Doggies3", or the like.

Not exactly the hardest thing to crack, given your (reasonable) assumption that the BASE is a "word", DESPITE the fact that it includes the other characters.

Even in the case of a double word, a lot of folks will, for instance, use part of the bank name as one of the words.

However, you would be SHOCKED at the number of "password" systems which WILL NOT ALLOW anything other than letters, or MAYBE letters and numbers, and which are NOT case sensitive.

as it happens, I myself do use concatenated words which are gibberish when put together. That is as much because of how my mind works as it is for security.

Dawai

06-29-2007, 11:33 AM

The trick to this, was simply the email account, then requesting "LOST" passwords relating the the emails from paypal and ebay arriving in the email box.

My wife, (bless her soul) only had a 4 letter password. I wonder how she made it this far in life.

A old seldom used ebay account with "account" billing is a golden ticket to sell whatever a scammer has, real or imagined. Since the scammer requested cash WEstern Union, he was not as successful as others taking more risks.

They still retain the email account, Hotmail is near useless, OUR letter to them came back undeliverable. Anyone got a mailing address for the MSN Hotmail department? Not sure what else my wife has access to in that email account? her bank? my bank? retirement?

BadDog

06-29-2007, 03:50 PM

I agree on all points. And that's why enhanced dictionary attacks work so well. Enhanced dictionary attacks will hit all the things you mentioned relatively rapidly, typically within a day or so, maybe even hours depending. They make use of an understanding of basic human nature. So they start with a basic comprehensive dictionary. If the hacker knows the account requirements (min length, at least one symbol, etc.) then the cracking software is configured with that information so it skips illegal passwords. They also have "weighting" that allows the would-be hacker to specify that certain words are likely to be part of a password. So I could say "Add and increase the probability of "Ebay", "auction", "sell", "buy", "win", ..." when cracking ebay member accounts. And of course I can set which symbols to include, and so on. A hacker may well take a day or more setting up to start cracking if they expect to harvest a number of accounts.

And if you think I would be "shocked" at the stupid things done to security systems (like forcing all alpha, no more than 8-10 char, etc.), you would be mistaken. I've had battles more than once trying to force some sanity into system admins (or more likely, management) who just don't get it. But most corp admins do have the sense to use the system to enforce at least decent passwords. Some are even smart enough to run your new password against a dictionary to make sure it's not in there!

Then again, the focus was not corp accounts, but rather site security issues regarding ebay, paypal, and the like. Corp accounts are sometimes "cracked", but usually not by "hacking". Most people don't realize it, but by far the most common way those accounts and data are stolen is via Social Engineering (this includes cons, disgruntled employees, blow hards who just can't keep their mouth shut, etc.). The second most common is the one most people think of first, and that's utilization of a system vulnerability to execute arbitrary code in a privileged (enough to do what's necessary) context. In the last 10-20 years, only a very tiny fraction of corp data is compromised via hacking of passwords and accounts.

And David, your right, that 4 letter password, probably in the dictionary, would fall within minutes to a cracker. One thing about it, this will be a lesson learned and I'll wager you both use much better passwords from now on. Hopefully you and others on this board will have learned a lot from the discussion.

Good luck...

Dawai

06-29-2007, 07:00 PM

HOW do you find a keylogger program? How about a renamed virus? As I used to know only named virus are found during a scan. How do you set your system up to alarm at a ping then list the isp?

My wifes password consisted of two letters, two numbers. BUT only being 4 characters long a random generator would find it out in a while.

One thing interesting, make two mistakes entering a hotmail password, it refuses the correct one when finally entered correctly. I found that out yesterday.

BadDog

06-29-2007, 08:14 PM

Detection software never looks for just a file name, they look for "signatures". Specific binary patterns associated with the target programs.